<html>
<head><meta charset="utf-8"><title>reporting-preference · wg-secure-code · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/index.html">wg-secure-code</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html">reporting-preference</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="208027502"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208027502" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208027502">(Aug 25 2020 at 21:39)</a>:</h4>
<p>Hello, I've been recently working on common undefined behavior bug detection for Rust crates. It is still preliminary, but the initial run on <a href="http://crates.io">crates.io</a> seems promising. There are a lot of bugs that are similar to <a href="https://github.com/RustSec/advisory-db/pull/360">#360</a> and <a href="https://github.com/RustSec/advisory-db/pull/362">#362</a> in the backlog, and I would like to hear maintainers' feedback before spamming the advisory DB :)</p>
<p>Specifically,</p>
<ol>
<li>Do you want any additional information to be included in the report? If there is anything that may reduce the burden and the time to confirm the bug on maintainers' side, please let me know.</li>
<li>Do you have any guide to distinguish an informational unsound advisory and a full security advisory? I'm filing a security advisory for bugs if I think the bug can be triggered during the natural usage of the library. I'm concerned that "natural usage" might be too subjective.</li>
</ol>



<a name="208027761"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208027761" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Alex Gaynor <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208027761">(Aug 25 2020 at 21:41)</a>:</h4>
<p>I don't really have an opinion on either of your questions -- I just wanted to say it's awesome that you're working on automatic UB detection! Is it static or dynamic analysis?</p>



<a name="208031197"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208031197" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208031197">(Aug 25 2020 at 22:16)</a>:</h4>
<p>Thanks! Our tool uses a static analysis, and we are focusing on adding more UB models and reducing the false positive rates.</p>



<a name="208062626"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208062626" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208062626">(Aug 26 2020 at 07:59)</a>:</h4>
<p>that sounds really interesting, I am curious to read more about it :)</p>



<a name="208272768"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208272768" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208272768">(Aug 27 2020 at 20:37)</a>:</h4>
<p>On 1: I think your reports on the upstream issues are very detailed and presented very well as it is, and that's what I usually read before merging the advisory. So I think the existing info is more than sufficient.</p>



<a name="208273052"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208273052" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208273052">(Aug 27 2020 at 20:39)</a>:</h4>
<p>On 2: I remember your call for defining the distinction more formally, and I think it's an important to do. But AFAIK this is an unsolved problem in general (with CWE designed to provide a formal framework for that sort of thing, but usually falling short) and I'm not familiar with anything at all that would be applicable to Rust and its encapsulation guarantees. So pending some novel research I'm afraid we'll have to go with subjective evaluation of natural usage for now.</p>



<a name="208273258"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/208273258" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#208273258">(Aug 27 2020 at 20:41)</a>:</h4>
<p>Regarding static analysis, this might also be of interest - the authors have built some ad-hoc static analysis tools and found a bunch of bugs: <a href="https://cseweb.ucsd.edu/~yiying/RustStudy-PLDI20.pdf">https://cseweb.ucsd.edu/~yiying/RustStudy-PLDI20.pdf</a></p>



<a name="217068326"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/217068326" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Yechan Bae <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#217068326">(Nov 17 2020 at 21:53)</a>:</h4>
<p>Update on the common UB detection project: Our research group found about a hundred of thread safety issues in published crates with a new bug pattern. Before start filing them, we would like to ask a few questions to make both the reporting and the reviewing more efficient.</p>
<h1>1. Is the comment in <a href="https://github.com/RustSec/advisory-db/pull/328">#328</a> still valid (considering the number of advisories that we are about to submit)?</h1>
<blockquote>
<p>We don't generally limit advisories based on crate popularity -- if no one is using the crate, then no one will be bothered by it :-)</p>
</blockquote>
<p>With an example: A bug from one of the least popular crates that we found was <a href="https://github.com/hyyking/rustracts/pull/6">rustracts#6</a>. The crate has been <a href="https://crates.io/crates/parc">downloaded 279 times to date</a>. With that number of downloads, probably the bug does not seriously impact anyone. We know that other security advisories consider "impact of the bug" when filing advisories, so we would like to be confirmed about RUSTSEC's policy.</p>
<h1>2. The bugs allow sending non-Send types across threads or allowing parallel access to non-Sync type. Should we file an advisory with <code>informatinoal="unsound"</code> or not? I asked a similar question before in general context, but this time with the context of this specific bug type.</h1>
<p>Bug examples: <a href="https://github.com/rust-lang/futures-rs/issues/2239">futures-rs#2239</a>, <a href="https://github.com/Amanieu/parking_lot/issues/258">parking_lot#258</a>, <a href="https://github.com/Amanieu/parking_lot/issues/259">parking_lot#259</a>, <a href="https://github.com/bodil/im-rs/issues/157">im-rs#157</a></p>



<a name="217344005"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/217344005" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#217344005">(Nov 19 2020 at 23:18)</a>:</h4>
<p>For an incorrect <code>Sync</code> or <code>Send</code> bounds we've previously had <code>informational=unsound</code> and regular vulnerablity report used. I'd go with a regular vulnerability report unless proven otherwise. Basically, if we can think of ways to cause memory unsafety with this on the current compiler, it should be a vulnerability; "unsound" is more for theoretical issues that we don't see any real-world impact from.</p>



<a name="217344068"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/217344068" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Shnatsel <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#217344068">(Nov 19 2020 at 23:19)</a>:</h4>
<p>I remember you called for a more strictly defined boundaries for vulnerabilities, and I agree that it'd be terrific to figure them out, but it's also a lot of work and I didn't have much capacity to work on that this year (ugh, what a year!)</p>



<a name="217505908"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/217505908" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Ammar Askar <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#217505908">(Nov 21 2020 at 15:25)</a>:</h4>
<p>Thank you, how about question 1? There's gonna be a hundred or so bugs and we don't want to overwhelm you all with advisories. Should we continue to report bugs in these small (~&lt;1,000 downloads, no dependencies) crates or just the main ones?</p>



<a name="217917375"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/217917375" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#217917375">(Nov 25 2020 at 17:45)</a>:</h4>
<p>perhaps you can triage the important ones and we can go from there</p>



<a name="217917398"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/146229-wg-secure-code/topic/reporting-preference/near/217917398" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/146229-wg-secure-code/topic/reporting-preference.html#217917398">(Nov 25 2020 at 17:45)</a>:</h4>
<p>if we get overwhelmed by too many advisories we'll let you know, however much of the process is automated now so it should be fine</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>